There’s No Clear Response to Hack that Cancelled ‘The Interview’

Nearly everyone from Hollywood to the White House agrees that something has to be done to respond to an apparent North Korean hack of Sony Pictures that stole private info, threatened employees, leaked a script for the next James Bond film, and ultimately led the studio to cancel the release of The Interview, a $44 ...

Nearly everyone from Hollywood to the White House agrees that something has to be done to respond to an apparent North Korean hack of Sony Pictures that stole private info, threatened employees, leaked a script for the next James Bond film, and ultimately led the studio to cancel the release of The Interview, a $44 million comedy. The problem is that no one knows what form that retaliation should take.

On Thursday, White House spokesman Josh Earnest refused to confirm reports that North Korea was responsible, but said President Barack Obama “considers this to be a serious national security matter.” The president, Earnest added, “would be mindful of the fact that we need a proportional response.”

But sorting out what would be a proportional response to an attack against a private company — and not a government or military target — is extraordinarily hard. Cyber security experts said that the White House could order some kind of cyber retaliation against North Korea, although it remains unclear what form this could take or whether this would deter future hacks. North Korea has few private companies, so the only targets for potential U.S. retaliation would likely involve Pyongyang itself. That, in turn, could easily lead to a tit-for-tat escalation with North Korea, with uncertain prospects for both countries.

“It’s a new area, and we’re in uncharted territory,” said Scott Snyder, a senior fellow for Korea studies at the Council on Foreign Relations. “It’s hard to know at this point if there are other options that might be less visible” targets for cyber retaliation like the North Korean equivalent of Sony.

Snyder said if Sony could produce evidence implicating an individual, a group of individuals, or a private company in the hacking, it could sue them for monetary damages. With the U.S. government reportedly believing that a country was behind the attack, the federal government is taking the lead, which takes that kind of financial path off of the table.

Some, including Rep. Ed Royce, the Republican chairman of the House Committee on Foreign Affairs, suggested on Hugh Hewitt’s radio show yesterday that the United States should rally the international community to impose financial sanctions on North Korea. It’s unlikely these penalties would be levied by the United Nations, where North Korea’s ally China would almost certainly veto the measure.

As those options are being considered, there are doubts in the tech community that North Korea is actually responsible for the attack.

“There’s no direct, hard evidence that implicates North Korea,” Sean Sullivan, a security adviser at Finnish security firm F-Secure, told the tech blog Tom’s Guide. “There is evidence of extortion [a November 21 message to Sony executives demanding money] and the hackers only mentioned [the movie] The Interview after it was brought up in the press, which they then used to their advantage.”

Others contend that known evidence shows the hack likely came from a disgruntled Sony employee.

“It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider,” Marc W. Rogers, a security researcher at San Francisco-based Web-traffic optimizer CloudFlare, wrote on his personal blog today.

“Whoever did this is in it for revenge,” Rogers continued. “The info and access they had could have easily been used to cash out, yet, instead, they are making every effort to burn Sony down.”